Vulnerability Development mailing list archives
Re: Cons and Security Validation
From: Blue Boar <BlueBoar () THIEVCO COM>
Date: Tue, 6 Feb 2001 21:15:17 -0800
Crispin Cowan wrote:
We're trying to pick some conventions that have strong "capture the flag" like games, to do some validation on our Immunix security technologies, similar to the Type Enforcement machine that was at DefCon last year. We're already booked to go to DefCon this year, but we're looking for another/sooner convention to go to for a warm-up.
I personally consider these a less than ideal way to get that kind of feedback. I don't really have time to do a full hacking contests rant right now... short version is that I'm not against them per se.. but I have a particular set of standards for what I consider the "right way" to run one. In particular answer to your question, I'd rather have a box available to me to try and break at my leisure. When I'm at a con, I already can't do half of the stuff I want to. If you want to impress people, and actually get a little research done, keep a box available at all times at hack.immunix.com or something. Make the prize, if any, something nominal. I get really annoyed by hacking contests that are only for a few days or a week. I want to play, but I rarely have time at the moment of the contest. The prize amount isn't a factor for me for whether I'll participate or not. If I really want a prize, I'll get my own copy of Pitbull or Immunix, run it on a lab machine, and develop a private exploit. Then I'll sit on the exploit until contest time. Me sitting on an exploit doesn't serve anybody. So far I really like the work going into the Immunix project. I'd hate to see you guys pull what some would see as a marketing scam. Don't get me wrong.. nothing wrong with having your box as a target in CTF... what would be wrong would be Immunix later saying it's secure based on lack of a breakin during CTF. BB
Current thread:
- Cons and Security Validation Crispin Cowan (Feb 06)
- Re: Cons and Security Validation Andrew R. Reiter (Feb 06)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Pavel Slavin (Feb 07)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Blue Boar (Feb 06)
- Re: Cons and Security Validation Greg KH (Feb 06)
- Re: Cons and Security Validation Blue Boar (Feb 06)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Dan Kaminsky (Feb 07)
- Re: Cons and Security Validation Matt Barringer (Feb 07)
- Re: Cons and Security Validation H D Moore (Feb 08)
- Re: Cons and Security Validation Crispin Cowan (Feb 10)
- Re: Cons and Security Validation Greg KH (Feb 06)
- Re: Cons and Security Validation Andrew R. Reiter (Feb 06)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)
- Re: Cons and Security Validation Blue Boar (Feb 08)